Netyjnd

Loading the leaflet Map in Lightning Web Component

What does "mu" mean as an interjection?

Do I need to consider instance restrictions when showing a language is in P?

What does Jesus mean regarding "Raca," and "you fool?" - is he contrasting them?

How to terminate ping <dest> &

Relation between independence and correlation of uniform random variables

Practical application of matrices and determinants

Brake pads destroying wheels

Describing a chess game in a novel

Is honey really a supersaturated solution? Does heating to un-crystalize redissolve it or melt it?

Help prove this basic trig identity please!

What can I do if I am asked to learn different programming languages very frequently?

World War I as a war of liberals against authoritarians?

What favor did Moody owe Dumbledore?

Why are there no stars visible in cislunar space?

What does "^L" mean in C?

Does the attack bonus from a Masterwork weapon stack with the attack bonus from Masterwork ammunition?

Inhabiting Mars versus going straight for a Dyson swarm

Can you move over difficult terrain with only 5 feet of movement?

Does .bashrc contain syntax errors?

Unfrosted light bulb

Fewest number of steps to reach 200 using special calculator

Help rendering a complicated sum/product formula

Asserting that Atheism and Theism are both faith based positions

Differential and Linear trail propagation in Noekeon

differential and linear cryptanalysisDifference between linear cryptanalysis and differential cryptanalysisWhat is the complexity for attacking 3DES in linear or differential cryptanalysis?Differential CryptanalysisDifferential & linear characteristics for integer multiplicationWhat is the meaning of Maximum Expected Differential/Linear Probability (MEDP/MELP)?Understanding the wide trail design strategyit is possible to use quantum algorithm search (Grover's algorithm) for new searching strategies for differential and linear attacksLinear cryptanalysis and number of linear approximationsHow does linear vs. non-linear operations relate to cryptographic security and differential cryptanalysis?

5

2

$begingroup$

In the Noekeon Cipher Specification they write the following :

The propagation through Lambda is denoted by $(a rightarrow A)$, also called a
step. Because of the linearity of Lambda it is fully deterministic:
both for LC and DC patterns, we have: $A = operatornameLambda(a)$. The fact that the
relation is the same for LC and DC is thanks to the fact that the
Lambda is an orthogonal function. If represented in a matrix, its
inverse is its transpose.

I'm having a hard time understanding why the orthogonality of Lambda affects the relation with regards to selection patterns (LC).

Why does the orthogonality of Lambda make it so that the relationship is the same as for DC ? How would the selection pattern propagate through the linear layer if Lambda was not orthogonal ?

cryptanalysis block-cipher linear-cryptanalysis differential-analysis

share|improve this question

edited 12 hours ago

Yuon

asked 13 hours ago

YuonYuon

787

$endgroup$

add a comment | 

5

2

$begingroup$

In the Noekeon Cipher Specification they write the following :

The propagation through Lambda is denoted by $(a rightarrow A)$, also called a
step. Because of the linearity of Lambda it is fully deterministic:
both for LC and DC patterns, we have: $A = operatornameLambda(a)$. The fact that the
relation is the same for LC and DC is thanks to the fact that the
Lambda is an orthogonal function. If represented in a matrix, its
inverse is its transpose.

I'm having a hard time understanding why the orthogonality of Lambda affects the relation with regards to selection patterns (LC).

Why does the orthogonality of Lambda make it so that the relationship is the same as for DC ? How would the selection pattern propagate through the linear layer if Lambda was not orthogonal ?

cryptanalysis block-cipher linear-cryptanalysis differential-analysis

share|improve this question

edited 12 hours ago

Yuon

asked 13 hours ago

YuonYuon

787

$endgroup$

add a comment | 

$begingroup$

In the Noekeon Cipher Specification they write the following :

The propagation through Lambda is denoted by $(a rightarrow A)$, also called a
step. Because of the linearity of Lambda it is fully deterministic:
both for LC and DC patterns, we have: $A = operatornameLambda(a)$. The fact that the
relation is the same for LC and DC is thanks to the fact that the
Lambda is an orthogonal function. If represented in a matrix, its
inverse is its transpose.

I'm having a hard time understanding why the orthogonality of Lambda affects the relation with regards to selection patterns (LC).

Why does the orthogonality of Lambda make it so that the relationship is the same as for DC ? How would the selection pattern propagate through the linear layer if Lambda was not orthogonal ?

cryptanalysis block-cipher linear-cryptanalysis differential-analysis

share|improve this question

edited 12 hours ago

Yuon

asked 13 hours ago

YuonYuon

787

$endgroup$

share|improve this question

edited 12 hours ago

Yuon

asked 13 hours ago

YuonYuon

787

share|improve this question

edited 12 hours ago

Yuon

asked 13 hours ago

YuonYuon

787

asked 13 hours ago

YuonYuon

787

asked 13 hours ago

YuonYuon

787

1 Answer
1

active

oldest

votes

3

$begingroup$

This is due to the duality between linear and differential trails.
Let $L$ be an invertible linear map on $mathbbF_2^n$, think of it as a matrix for convenience.
In general, a nonzero differential $Delta_1 to Delta_2$ over $L$ must satisfy

$$Delta_2 = L,Delta_1.$$

A nonzero linear approximation $u_1 to u_2$, however, must satisfy

$$u_2 = L^-top,u_1$$

An elementary way to see this is to observe that $u_1^top x = u_2^top (Lx)$ is equivalent to $u_1^top x = (L^top,u_2)^top x$. This holds for all $x in mathbbF_2^n$ whenever $u_2 = L^-top,u_1$, and otherwise for half (some hyperplane) the $x$.

If $L$ is orthogonal, then $L^-T = L$. So then we have both $Delta_2 = LDelta_1$ and $u_2 = L u_1$.

share|improve this answer

answered 9 hours ago

AlephAleph

1,3061220

$endgroup$

• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  I suspected it was because of something like that. Could you just give some intuition as to why we want $u^T_1 x = u^T_2(Lx)$ in first place ? If I had to come up with that, I'd think it's the other way around $u^T_2 x = u^T_1 (Lx)$ just like the differential case.
  $endgroup$
  – Yuon
  8 hours ago
  
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f68085%2fdifferential-and-linear-trail-propagation-in-noekeon%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

3

$begingroup$

This is due to the duality between linear and differential trails.
Let $L$ be an invertible linear map on $mathbbF_2^n$, think of it as a matrix for convenience.
In general, a nonzero differential $Delta_1 to Delta_2$ over $L$ must satisfy

$$Delta_2 = L,Delta_1.$$

A nonzero linear approximation $u_1 to u_2$, however, must satisfy

$$u_2 = L^-top,u_1$$

An elementary way to see this is to observe that $u_1^top x = u_2^top (Lx)$ is equivalent to $u_1^top x = (L^top,u_2)^top x$. This holds for all $x in mathbbF_2^n$ whenever $u_2 = L^-top,u_1$, and otherwise for half (some hyperplane) the $x$.

If $L$ is orthogonal, then $L^-T = L$. So then we have both $Delta_2 = LDelta_1$ and $u_2 = L u_1$.

share|improve this answer

answered 9 hours ago

AlephAleph

1,3061220

$endgroup$

• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  I suspected it was because of something like that. Could you just give some intuition as to why we want $u^T_1 x = u^T_2(Lx)$ in first place ? If I had to come up with that, I'd think it's the other way around $u^T_2 x = u^T_1 (Lx)$ just like the differential case.
  $endgroup$
  – Yuon
  8 hours ago
  
  

  
  
  
  

add a comment | 

3

$begingroup$

This is due to the duality between linear and differential trails.
Let $L$ be an invertible linear map on $mathbbF_2^n$, think of it as a matrix for convenience.
In general, a nonzero differential $Delta_1 to Delta_2$ over $L$ must satisfy

$$Delta_2 = L,Delta_1.$$

A nonzero linear approximation $u_1 to u_2$, however, must satisfy

$$u_2 = L^-top,u_1$$

An elementary way to see this is to observe that $u_1^top x = u_2^top (Lx)$ is equivalent to $u_1^top x = (L^top,u_2)^top x$. This holds for all $x in mathbbF_2^n$ whenever $u_2 = L^-top,u_1$, and otherwise for half (some hyperplane) the $x$.

If $L$ is orthogonal, then $L^-T = L$. So then we have both $Delta_2 = LDelta_1$ and $u_2 = L u_1$.

share|improve this answer

answered 9 hours ago

AlephAleph

1,3061220

$endgroup$

• 
  
  
  

  
  

  
  
  
  
  
  

  
  $begingroup$
  I suspected it was because of something like that. Could you just give some intuition as to why we want $u^T_1 x = u^T_2(Lx)$ in first place ? If I had to come up with that, I'd think it's the other way around $u^T_2 x = u^T_1 (Lx)$ just like the differential case.
  $endgroup$
  – Yuon
  8 hours ago
  
  

  
  
  
  

add a comment | 

$begingroup$

This is due to the duality between linear and differential trails.
Let $L$ be an invertible linear map on $mathbbF_2^n$, think of it as a matrix for convenience.
In general, a nonzero differential $Delta_1 to Delta_2$ over $L$ must satisfy

$$Delta_2 = L,Delta_1.$$

A nonzero linear approximation $u_1 to u_2$, however, must satisfy

$$u_2 = L^-top,u_1$$

An elementary way to see this is to observe that $u_1^top x = u_2^top (Lx)$ is equivalent to $u_1^top x = (L^top,u_2)^top x$. This holds for all $x in mathbbF_2^n$ whenever $u_2 = L^-top,u_1$, and otherwise for half (some hyperplane) the $x$.

If $L$ is orthogonal, then $L^-T = L$. So then we have both $Delta_2 = LDelta_1$ and $u_2 = L u_1$.

share|improve this answer

answered 9 hours ago

AlephAleph

1,3061220

$endgroup$

share|improve this answer

answered 9 hours ago

AlephAleph

1,3061220

answered 9 hours ago

AlephAleph

1,3061220

answered 9 hours ago

AlephAleph

1,3061220